Apache Pre VirtualHost Include and SSL Cipher Suite cPanel Config

[vlee]

Just being nice today...

I found this following configuration below is very helpful in providing solid security on cPanel servers.

Scored a A+ on SSL Server Test at SSL Server Test (Powered by Qualys SSL Labs)

No weak Cipher Suites at all.

Everyone is welcome use what I have and even improve it and please post your improvements in this thread thank you.

SSL Cipher Suite

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256

Apache Pre VirtualHost Include

# Enable SSLUseStapling
SSLUseStapling on
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
SSLHonorCipherOrder On
SSLCompression off

# Enable HTTP Strict Transport Security
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# Enable HTTP Secure Cookie
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# DISABLE CACHING
<IfModule mod_headers.c>
    Header set Cache-Control "max-age=0, private, no-cache, no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires 0
</IfModule>

# Enable GZIP Compression.
<IfModule mod_deflate.c>
    SetOutputFilter DEFLATE
    <IfModule mod_setenvif.c>
        # Netscape 4.x has some problems...
        BrowserMatch ^Mozilla/4 gzip-only-text/html
      
        # Netscape 4.06-4.08 have some more problems
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
      
        # MSIE masquerades as Netscape, but it is fine
        # BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
      
        # NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
        # the above regex won't work. You can use the following
        # workaround to get the desired effect:
        BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
      
        # Don't compress images
        SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
    </IfModule>
 
    <IfModule mod_headers.c>
        # Make sure proxies don't deliver the wrong content
        Header append Vary User-Agent env=!dont-vary
    </IfModule>
</IfModule>

I hope this helps you all out.

 

[cPanelJasonT]

Hello,
Thank you for the contribution. SSL Ciphers for Apache can be modified in WHM Home »Service Configuration »Apache Configuration under the Global Configuration.
Documentation for this feature is available here:
Apache Configuration - Documentation - cPanel Documentation

 

[PbG]

Thank you again vlee! This suite looks good! I just need to figure out how to change the sort order so all 256 are preferred over 128.

Just being nice today...

I found this following configuration below is very helpful in providing solid security on cPanel servers.

Scored a A+ on SSL Server Test at SSL Server Test (Powered by Qualys SSL Labs)

No weak Cipher Suites at all.

Everyone is welcome use what I have and even improve it and please post your improvements in this thread thank you.

SSL Cipher Suite

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256

I hope this helps you all out.

 

[vlee]

Udated SSL Ciphers for Apache

EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA